A data breach at a Ministry of Defence (MoD) subcontractor has resulted in the exposure of personal data belonging to thousands of Afghans who were brought to the UK for safety.
Inflite The Jet Centre, a company providing ground-handling services at London Stansted airport, experienced a cyber-security incident, potentially compromising the names, passport details, and Afghan Relocations and Assistance Policy (Arap) information of up to 3,700 Afghans.
This incident follows a previous major data breach in 2022 that exposed the details of nearly 19,000 individuals who had requested to come to the UK to escape the Taliban, which was revealed just last month.
The government has stated that the breach “has not posed any threat to individuals’ safety, nor compromised any government systems”.
Currently, there is no indication that any of the compromised data has been made public.
The affected Afghans are believed to have arrived in the UK between January and March 2024 under a resettlement program for those who collaborated with British troops.
An email from the Afghan resettlement team, sent on Friday afternoon, alerted families to the potential exposure of their personal information.
The email stated that “This may include passport details (including name, date of birth, and passport number) and Afghan Relocations and Assistance Policy (Arap) reference numbers.”
The BBC understands that British military personnel and former Conservative government ministers are also among those affected.
A government spokesperson commented: “We were recently notified that a third party sub-contractor to a supplier experienced a cyber security incident involving unauthorised access to a small number of its emails that contained basic personal information.
“We take data security extremely seriously and are going above and beyond our legal duties in informing all potentially affected individuals.”
Inflite The Jet Centre issued a statement asserting that “the scope of the incident was limited to email accounts only” and that the matter has been reported to the Information Commissioner’s Office (ICO).
The ICO has confirmed to the BBC that it has received a report from Inflite.
Professor Sara de Jong of the Sulha Alliance, a charity supporting Afghans who worked for the British Army, described the breach as “astonishing”.
“The last thing that Afghans – who saved British lives – need is more worries about their own and their families’ lives,” she stated.
Prof. de Jong also urged the MoD to expedite all pending relocation cases for Afghans.
This incident follows a February 2022 incident where a British official mistakenly leaked the personal data of nearly 19,000 Afghans who had applied to move to the UK under the Arap scheme, leading to the secret relocation of thousands of Afghans.
The leaked spreadsheet contained names, contact details, and some family information of individuals potentially at risk from the Taliban.
The 2022 incident was only made public in July.
BBC’s Newsnight program has reported on the case of the son of an Afghan “Triples” elite special forces member who worked with the British Army and was affected by the original MoD data breach.
The man and his family initially applied to the Arap scheme, designed to relocate and protect Afghans who worked with British forces or the UK government in Afghanistan, shortly after the Taliban’s return to power in August 2021.
The family was in Pakistan awaiting a final decision on their application, which had been endorsed by the Ministry of Defence the previous year.
Newsnight reported that he faced imminent deportation back to Afghanistan after local authorities raided his Islamabad hotel.
His son, who managed to evade authorities and speak to the BBC, stated that his family would not survive a return to Afghanistan after their personal details were leaked.
“Please help my family and avoid their murder by the Taliban,” the son pleaded to the British government.
Newsnight learned on Friday, after the interview, that the man had been deported back to Afghanistan.
In response to the deportation, the MoD stated that it was “honouring commitments” to all eligible individuals who pass the relevant checks for relocation.
“As the public would rightly expect, anyone coming to the UK must pass strict security and entry checks before being able to relocate to the UK.
“In some cases people do not pass these checks,” it said.
Speaking on Newsnight, Sir Mark Lyall Grant, former UK national security adviser, called both breaches “deeply embarrassing” for the British government.
He added that while checks for relocation are necessary, the British government must “honour the commitment they made”.
“We do need to move faster to protect people who genuinely are at risk of being victimised and persecuted by the Taliban if they go back,” he stated.
Former Conservative Chancellor Kwasi Kwarteng told Newsnight that the data breaches were “very serious” and “really concerning” for people facing deportation back to Afghanistan.
Liberal Democrat Defence Spokesperson Helen Maguire accused the government of “staggering incompetence and clearly inadequate security standards,” and called for an “immediate, fully independent investigation” into the security breaches.
Deputy Lindsay de Sausmarez advised islanders to warn vulnerable people the posts were fraudulent.
Since a war with Israel in June, Iran has stepped up forcible returns. Some Afghans say they were beaten.
Email accounts were compromised before being used to request money transfers.
Anna Downes says she contacted the BBC after she lost hope that the police would take her seriously.
Transport company KNP forced to shut down after international hacker gangs target thousands of UK businesses.